LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   two factor authentication (http://www.linuxquestions.org/questions/linux-general-1/two-factor-authentication-769686/)

LinuxLover 11-17-2009 09:14 AM

two factor authentication
 
Hi,

We have around 150 Solaris and Linux servers in two remote datacenters.

Mostly we work by using ssh via site to site vpn connection. To secure it more ,and also a requirement for our audit we need to configure two factor authentication in order to access our servers.

I am looking at wikid http://www.wikidsystems.com/.

Is there any other/better software base solution to implement two factor authentication.

Looking forwarding for you valuable:cool: opinions.

TB0ne 11-17-2009 09:44 AM

Quote:

Originally Posted by LinuxLover (Post 3760044)
Hi,

We have around 150 Solaris and Linux servers in two remote datacenters.

Mostly we work by using ssh via site to site vpn connection. To secure it more ,and also a requirement for our audit we need to configure two factor authentication in order to access our servers.

I am looking at wikid http://www.wikidsystems.com/.

Is there any other/better software base solution to implement two factor authentication.

Looking forwarding for you valuable:cool: opinions.

That's a good solution, and I've used it before, but why would you need to? If you've got site-to-site VPN with any kind of decent security, that's pretty secure as is. I could perhaps see changing SSH ports to something other than 22, longer VPN passwords, etc., but c'mon. If this is on your internal network, which a VPN is essentially, it sounds like the auditors are trying to make themselves look valuable.

LinuxLover 11-17-2009 10:19 AM

Thanks for you reply.

We are in Payment Card Industry and two factor authentication is the requirement for PCI audit.

I have installed Wikid community edition but now stuck in client authentication.

nickowen 11-17-2009 10:40 AM

Quote:

Originally Posted by LinuxLover (Post 3760116)
Thanks for you reply.

We are in Payment Card Industry and two factor authentication is the requirement for PCI audit.

I have installed Wikid community edition but now stuck in client authentication.

What problem are you having? I'm more than happy to help out. Is your issue with the token client? or configuring your boxes to talk to the WiKID server?

nick

LinuxLover 11-17-2009 11:57 AM

Hi nickowen,

Thanks for you reply , currently we are looking its community version.But we are planning to purchase it commercial version. I will be highly apprciate you if you would help me in this regard,so for i have install the athentication server but not able to athenticate client from.For testing I am trying to authenticate a WindowXP box from it through Token client.

nickowen 11-17-2009 01:45 PM

Quote:

Originally Posted by LinuxLover (Post 3760239)
Hi nickowen,

Thanks for you reply , currently we are looking its community version.But we are planning to purchase it commercial version. I will be highly apprciate you if you would help me in this regard,so for i have install the athentication server but not able to athenticate client from.For testing I am trying to authenticate a WindowXP box from it through Token client.

ok. You can test to see if you WiKID software token is working by trying to add this domain server code: 888888888888. (under Actions, Create New Domain) If you get a pin prompt, then it should be working.

If it is, then it is probably an error on your server. What domain code do you have? It should be the zero-padded ip address of your server. So, 10.100.0.200 becomes 010100000200. The token needs to be able to route to the server over port 80. (we use public key encryption, so no need for SSL.)

If that all looks good, check the WiKIDAdmin logs (link on top left corner) and try running the token in debug mode:
http://www.wikidsystems.com/support/...client%20debug

HTH,

nick

LinuxLover 11-18-2009 07:34 AM

1 Attachment(s)
Thanks nickowen , for your valuable help.

I am able to connect by your giving instruction, in fact earliar I was mentioning wrong domain code.

Now Token client is able to connect at the next screen it give me some passode and timer coutdown from 30 seconds , as picture is annexed.So what the next step to add the client for athentication , How can I use this passcode?

nickowen 11-18-2009 09:30 AM

Quote:

Originally Posted by LinuxLover (Post 3761253)
Thanks nickowen , for your valuable help.

I am able to connect by your giving instruction, in fact earliar I was mentioning wrong domain code.

Now Token client is able to connect at the next screen it give me some passode and timer coutdown from 30 seconds , as picture is annexed.So what the next step to add the client for athentication , How can I use this passcode?

Great. We added a little test page to the server just for this purpose:

http://www.wikidsystems.com/support/...ing-correctly/

It is in /opt/WiKID/tomcat/webapps/WiKIDAdmin/ (as described). Change the default domain server code and the localhost passphrase and browse to the page, which is protected by the WiKIDAdmin creds. You should see html for registering/adding a token, authenticating an OTP, etc.
(This page demos all the functionality of the wAuth protocol/)

If this is working, you will probably want to think about testing this with your servers. It probably would make sense to do this test with the commercial version, which supports radius. You can try using ldap or tacacs (which is supported in pam), but radius is much cleaner. If you're using a commercial vpn, then radius is definitely the way to go.

If you use AD, you can also check out how to let users self-register based on their AD creds: http://www.wikidsystems.com/support/...ad-credentials

LinuxLover 11-18-2009 11:22 AM

Thanks for your help,

I installed the iso image and now able to verify the user at https://myserverurl/WiKIDAdmin/example.jsp


as given insttruction at http://www.wikidsystems.com/support/...nual-all-pages



It gives me message SUCCESS at top when I check user id in Online login:

Now how can I use this to configure for my user who connect to remote servers by ssh?

nickowen 11-19-2009 09:24 AM

For ssh, on the open source Community edition your best bet is tacacs+: http://www.wikidsystems.com/support/...on-with-tacacs

I can't get ldap to work because PAM doesn't support the anonymous binds we use to validate the OTP.

For the enterprise version, Radius is the best bet: http://www.wikidsystems.com/support/...-radius-how-to

In both cases, you need to enable the protocol, create a network client and then restart the server. For tacacs, you probably also need to kick of the tacacs listener with:

# /opt/WiKID/bin/tac_plus -C /opt/WiKID/private/tacacs.conf

If you're intention is to go Enterprise, now is a good time to switch. You won't get any benefit testing with tacacs. It's not the best options for ssh. It's fine for switches.

hth,

nick

LinuxLover 11-20-2009 10:11 AM

2 Attachment(s)
Thanks for your reply,

I am trying to authenticate a ssh user from Enterprise version.But still not able to do so.

I have install the pam_radius_auth.so module as given link by you.

When I try to login on this system it dispaly this error in log file

Code:

Nov  3 09:01:00 nms-test sshd[8992]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 15178688.
Nov  3 09:01:02 nms-test sshd[8992]: Failed password for ktahir from 192.168.150.3 port 4464 ssh2
Nov  3 09:01:15 nms-test sshd[8993]: Received disconnect from 192.168.150.3: 13: Authentication cancelled by user.



I am not very much sure what parameter need to be set on server side
I have enable radius , network client, created the use but unable to find any password option for that user.

LinuxLover 11-21-2009 06:09 AM

Hi,

I have moved bit further with the help of below doc.

http://www.wikidsystems.com/support/...ion-from-wikid


Now when I try to connet to targnet server it fails aunthentication below are the logs


Log of Target server

Code:

Nov  3 21:02:33 nms-test sshd[10692]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 11803584.
Nov  3 21:02:34 nms-test sshd[10692]: Failed password for ktahir from 192.168.150.3 port 1977 ssh2


Log of Wikid Server

Code:

tail -f /opt/WiKID/log/radius.log

NASip is '192.168.150.109'
PAP Request
passcode is 123456
Checking ktahir:123456:192168150110
Check returned false


I am not sure about that passcode ? How to set in on Wikid server?

LinuxLover 11-21-2009 09:47 AM

Hi ,
I moved one step more .

I download Token client for linux jwikid.xx.jar in target linux machine to which I want to ssh.

Then added it in network client. Also pam etc set properly on target linux machine.


I generated the passcode by executing

# java -jar jwikid.x.x.jar from this target machine.


Now when I try to ssh my target machine it looks like that passcode is being authenticating form wikid server as given below

Code:

# tail -f  /opt/WiKID/log/radius.log

NASip is '192.168.150.111'
PAP Request
passcode is 205690
Checking ktahir:205690:192168150110
Check returned true



User-Name (1), Length: 8, Data: [ktahir], 0x6B7461686972
User-Password (2), Length: 18, Data: 0xF43A844523FE9F09A2C0DA19C8754598
NAS-IP-Address (4), Length: 6, Data: [���o], [# 3232274031] / [IP 192.168.150.111], 0xC0A8966F
NAS-Identifier (32), Length: 6, Data: [sshd], [# 1936943204] / [IP 115.115.104.100], 0x73736864
NAS-Port (5), Length: 6, Data: [# 4263], 0x000010A7
NAS-Port-Type (61), Length: 6, Data: [# 5 (Virtual)], 0x00000005
Service-Type (6), Length: 6, Data: [# 8 (Authenticate-Only)], 0x00000008
Calling-Station-Id (31), Length: 15, Data: [192.168.150.3], 0x3139322E3136382E3135302E33




But still I am unable to login. Is repeat to ask passwod again and again.


Below is the log of target machine.


Code:

ov 22 01:40:54 alpha sshd[4263]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 13298656.
Nov 22 01:40:54 alpha sshd[4263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.150.3  user=ktahir
Nov 22 01:40:56 alpha sshd[4263]: Failed password for ktahir from 192.168.150.3 port 4558 ssh2


nickowen 11-23-2009 07:43 AM

Quote:

Originally Posted by LinuxLover (Post 3764820)
Hi,

I have moved bit further with the help of below doc.

http://www.wikidsystems.com/support/...ion-from-wikid


Now when I try to connet to targnet server it fails aunthentication below are the logs


Log of Target server

Code:

Nov  3 21:02:33 nms-test sshd[10692]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 11803584.
Nov  3 21:02:34 nms-test sshd[10692]: Failed password for ktahir from 192.168.150.3 port 1977 ssh2


Log of Wikid Server

Code:

tail -f /opt/WiKID/log/radius.log

NASip is '192.168.150.109'
PAP Request
passcode is 123456
Checking ktahir:123456:192168150110
Check returned false


I am not sure about that passcode ? How to set in on Wikid server?

The passcode needs to be generated from the token. If you got 123456 from a token, we might need to double-check our random number generator :).

nickowen 11-23-2009 07:47 AM

Quote:

Originally Posted by LinuxLover (Post 3764965)
Hi ,
I moved one step more .

I download Token client for linux jwikid.xx.jar in target linux machine to which I want to ssh.

Then added it in network client. Also pam etc set properly on target linux machine.


I generated the passcode by executing

# java -jar jwikid.x.x.jar from this target machine.


Now when I try to ssh my target machine it looks like that passcode is being authenticating form wikid server as given below

Code:

# tail -f  /opt/WiKID/log/radius.log

NASip is '192.168.150.111'
PAP Request
passcode is 205690
Checking ktahir:205690:192168150110
Check returned true



User-Name (1), Length: 8, Data: [ktahir], 0x6B7461686972
User-Password (2), Length: 18, Data: 0xF43A844523FE9F09A2C0DA19C8754598
NAS-IP-Address (4), Length: 6, Data: [���o], [# 3232274031] / [IP 192.168.150.111], 0xC0A8966F
NAS-Identifier (32), Length: 6, Data: [sshd], [# 1936943204] / [IP 115.115.104.100], 0x73736864
NAS-Port (5), Length: 6, Data: [# 4263], 0x000010A7
NAS-Port-Type (61), Length: 6, Data: [# 5 (Virtual)], 0x00000005
Service-Type (6), Length: 6, Data: [# 8 (Authenticate-Only)], 0x00000008
Calling-Station-Id (31), Length: 15, Data: [192.168.150.3], 0x3139322E3136382E3135302E33




But still I am unable to login. Is repeat to ask passwod again and again.


Below is the log of target machine.


Code:

ov 22 01:40:54 alpha sshd[4263]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 13298656.
Nov 22 01:40:54 alpha sshd[4263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.150.3  user=ktahir
Nov 22 01:40:56 alpha sshd[4263]: Failed password for ktahir from 192.168.150.3 port 4558 ssh2


If the WiKID server is returning true and the target SSH server is not validating the user, then the problem is most likely with your /etc/pam.d/sshd file. Do you have this line:

auth sufficient /lib/security/pam_radius_auth.so

? Post you /etc/pam.d/sshd file and I'll have a look.

nick


All times are GMT -5. The time now is 09:27 AM.